More than 22,000 patients of Cambridge University Hospitals NHS Foundation Trust were hit by data leaks that took place between 2020 and 2021.
In both cases, it was an own goal when the org handed over the data itself while responding to requests made under the Freedom of Information (FoI) Act 2000. Also in both cases, extraneous information was left visible in the pivot tables of Excel spreadsheets in the responses.
The majority of the patients whose data was made public (22,073) were maternity patients of The Rosie Hospital at the Addenbrooke’s Hospital site. The information revealed included names, hospital numbers, and medical information such as birth outcomes and conception dates.
Individuals booked for care at The Rosie Hospital between January 2, 2016, and December 31, 2019, were impacted by the response, which was posted to the online FoI website WhatDoTheyKnow.
The website alerted the trust that they could see the data and promptly removed the information when it learned of its exposure. It was available on WhatDoTheyKnow between November 18, 2020, and November 1, 2023.
NHS England’s national cybersecurity team also helped the trust ensure the data was not available anywhere on the internet.
“While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognize that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information,” the trust said.
The FoI request itself sought information for a number of matters, including the number of pregnant women considered to have a high or low-risk pregnancy, and questions around rates of premature births and deaths of babies.
The trust said once it became aware of the breach it audited every FoI response from the past 10 years for similar errors – around 8,000 responses – and found an additional case from 2021 in which the data of 373 cancer patients in clinical trials was exposed.
Rather than having information publicly exposed on a website like WhatDoTheyKnow, in this case the response had been issued privately to Wilmington PLC, a company that owns brands in the publishing, information, and training sectors, focusing on compliance, legal, and healthcare.
Names, hospital numbers, and some medical information were included in responses. The trust has written to Wilmington PLC asking for this data to be deleted.
The FoI request sought details related to the treatment of patients with specific types of cancer within the previous six months of the request’s submission.
“While there is no evidence in either case of the information being accessed or shared beyond the original recipients, we recognize that such errors are unacceptable given our clear duty to maintain the confidentiality of patient information,” the trust said in a statement issued to its website.
“We want to apologize unreservedly to our patients for the worry and concern that this news may cause.”
Special consideration has also been made to the decision as to whether to contact affected patients directly, the trust confirmed.
Given that the data related to maternity patients also included information regarding birth outcomes, the trust made the decision to not contact affected individuals directly in case they would want to avoid family members from learning about pregnancies, for example.
“It is also straightforward for this group of patients to identify themselves based on the date range above,” it said. “Therefore we have decided not to write directly to these patients.
“This is not the case for the cancer patients, for whom self-identification would be less straightforward based on the same level of information, and so we have written to these patients directly.”
Any individuals who are concerned about being potentially affected can access support via freephone or email, details of which can be found on the trust’s website.
“This a serious data breach, which should not have happened,” said Daniel Zeichner, MP for Cambridge. “I am pleased that once they were aware, the trust has acted swiftly and responsibly, in consultation with patient groups, and has put in place sensible measures to support those affected.
“Anyone concerned should contact the trust for support. There now needs to be a full review to ensure that this cannot happen again.”
In response, the trust has also enhanced the scrutiny of its FoI process, prohibiting spreadsheet responses, and commissioned an external review of the process.
The Information Commissioner’s Office (ICO) has been made aware of the incidents, and a spokesperson told The Register that the watchdog is assessing the information provided.
“We have previously issued an advisory notice to public authorities calling for an immediate end to the use of original source Excel spreadsheets when responding publicly to FoI requests,” the spokesperson said. “This follows a number of recent data breaches where personal information was inadvertently included in spreadsheets that were shared as part of a FoI response.
“Public authorities should be putting robust measures in place to protect personal data when responding to information access requests, and to reassure the people they serve, and their staff, that their information is in safe hands.”
As highlighted by the ICO, the incident at Addenbrooke’s Hospital marks the latest in a long line of data breaches at UK public sector organizations this year.
The Police Service of Northern Ireland (PSNI) was one such example, where a spreadsheet was leaked online containing broad details of all serving officers and civilian staffers. The incident sparked fears for officer safety due to ongoing extremism from the region’s sectarian divide, despite the Good Friday Agreement being signed in 1998.
Norfolk and Suffolk police forces both admitted to data breaches involving spreadsheets in August, in the same week Cumbria constabulary also unwittingly leaked officers’ details online.
Breaches at third-party suppliers were blamed for the data leaks impacting London’s Metropolitan Police and Greater Manchester Police. Officers’ details were also exposed in both cases.
While not in the UK, the data of officers at the Irish National Police (An Garda Síochána) was also exposed after a third-party contractor ran its database without password protection. ®